1

I'm having an issue with setting up certificate on my Centos 7 VPS that runs VestaCP with Nginx and PHP-FPM for a website that runs Wordrpress CMS via SSL (we have already signed and running GoDaddy certificate). Basically what I am doing is adding Payeezy FirstData certificate to a Wordpress with WooCommerce project using these steps:

  1. Running this command from SSH openssl req -newkey rsa:2048 -sha256 -keyout 1234567key.pem -out 1234567req.pem -subj "/C=LV/O=domain.com/CN=1234567" -outform PEM where 1234567 is Merchant ID
  2. Signing the request at https://secureshop-test.firstdata.lv/keystore_.do using 1234567req.pem file for test system and then getting the ECOMM-test.pem and 1234567.pem files by as a response e-mail.
  3. Running this command openssl pkcs12 -export -in 1234567.pem -out 1234567keystore.p12 -certfile ECOMM-test.pem -inkey 1234567key.pem
  4. Running this command openssl pkcs12 -in 1234567keystore.p12 -out 1234567keystore.pem

After doing this I asked FirstData to add our VPS IP address to their allowed hosts.

By documentation and their support I've done everything right so far and all should work, but when I try to run sample transaction .php script I get this response:

startDMSAuth: Peer does not recognize and trust the CA that issued your certificate.

Which in human language means - your server does not trust the authority that signed this certificate. Please add it to Trusted Store Certificate Authority list (something like that).

The problem is that I don't know how to do it (add CA to Trusted Store CA list on Centos7 running VestaCP with Nginx and PHP-FPM) and can't find proper documentation or tutorial how to do it so I was hoping someone here has had an experience with this and could explain me and others with the same issue how to do it.

richardev
  • 976
  • 1
  • 10
  • 33
  • Try reading this https://stackoverflow.com/questions/34162475/error-ssl-error-unknown-ca-alert-peer-does-not-recognize-and-trust-the-ca-that-i#34163253 – delboy1978uk Oct 22 '18 at 15:22
  • I've read this and lots of other Q&As here. The post that you shared is about a certificate that is SELF-signed, but in my case I need to send CSR to the Payeezy Firstdata for signing and then I get an e-mail with final parts for generating certificate keystore file. – richardev Oct 23 '18 at 04:25
  • @RicardsMucelans so do you just need to add a new root cert to your exsting ca? Is this a standard centos7 build etc? – user3788685 Oct 24 '18 at 18:25

1 Answers1

0

I found my solution here: https://gist.github.com/oussemos/cf81d86a446544bfa9c92f3576306aff
Don't do line 403: openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

In short:

  1. Open SSH and run below commands as sudo
  2. update-ca-trust force-enable
  3. update-ca-trust extract
  4. cp certificate.pem /etc/pki/ca-trust/source/anchors/ (change certificate.pem to the certificate that you want to add
  5. update-ca-trust extract
richardev
  • 976
  • 1
  • 10
  • 33